vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-02 10:39:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Handle ICMP/v6 echo regularly

Browse source
This commit is contained in:
Daniel 2021-06-01 12:54:22 +02:00
parent 6141066252
commit 525687a30b
2 changed files with 29 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
firewall/interception.go
View file

@ -9,6 +9,7 @@ import (
"sync/atomic" "sync/atomic"
"time" "time"
"github.com/google/gopacket/layers"
"github.com/safing/portmaster/netenv" "github.com/safing/portmaster/netenv"
"golang.org/x/sync/singleflight" "golang.org/x/sync/singleflight"
@ -184,30 +185,39 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
} }
switch meta.Protocol { switch meta.Protocol {
case packet.ICMP: case packet.ICMP, packet.ICMPv6:
// Submit to ICMP listener. // Load packet data.
submitted := netenv.SubmitPacketToICMPListener(pkt) err := pkt.LoadPacketData()
if err != nil {
// Always permit ICMP. log.Debugf("filter: failed to load ICMP packet data: %s", err)
log.Debugf("filter: fast-track accepting ICMP: %s", pkt)
// If the packet was submitted to the listener, we must not do a
// permanent accept, because then we won't see any future packets of that
// connection and thus cannot continue to submit them.
if submitted {
_ = pkt.Accept()
} else {
_ = pkt.PermanentAccept() _ = pkt.PermanentAccept()
return true
} }
return true
case packet.ICMPv6: // Handle echo request and replies regularly.
// Other ICMP packets are considered system business.
icmpLayers := pkt.Layers().LayerClass(layers.LayerClassIPControl)
switch icmpLayer := icmpLayers.(type) {
case *layers.ICMPv4:
switch icmpLayer.TypeCode.Type() {
case layers.ICMPv4TypeEchoRequest,
layers.ICMPv4TypeEchoReply:
return false
}
case *layers.ICMPv6:
switch icmpLayer.TypeCode.Type() {
case layers.ICMPv6TypeEchoRequest,
layers.ICMPv6TypeEchoReply:
return false
}
}
// Premit all ICMP/v6 packets that are not echo requests or replies.
log.Debugf("filter: fast-track accepting ICMP/v6: %s", pkt)
// Submit to ICMP listener. // Submit to ICMP listener.
submitted := netenv.SubmitPacketToICMPListener(pkt) submitted := netenv.SubmitPacketToICMPListener(pkt)
// Always permit ICMPv6.
log.Debugf("filter: fast-track accepting ICMPv6: %s", pkt)
// If the packet was submitted to the listener, we must not do a // If the packet was submitted to the listener, we must not do a
// permanent accept, because then we won't see any future packets of that // permanent accept, because then we won't see any future packets of that
// connection and thus cannot continue to submit them. // connection and thus cannot continue to submit them.

2
firewall/interception/nfq/packet.go
View file

@ -145,7 +145,7 @@ func (pkt *packet) PermanentAccept() error {
} }
func (pkt *packet) PermanentBlock() error { func (pkt *packet) PermanentBlock() error {
if pkt.Info().Protocol == pmpacket.ICMP { if pkt.Info().Protocol == pmpacket.ICMP || pkt.Info().Protocol == pmpacket.ICMPv6 {
// ICMP packets attributed to a blocked connection are always allowed, as // ICMP packets attributed to a blocked connection are always allowed, as
// rejection ICMP packets will have the same mark as the blocked // rejection ICMP packets will have the same mark as the blocked
// connection. This is why we need to drop blocked ICMP packets instead. // connection. This is why we need to drop blocked ICMP packets instead.